Discussion of security concerns for EOL or near EOL Windows versions

[Bill_Bright]

That said, I don't recommend anyone using XP as their daily internet driver. XP should only be used if no other option remains or if a specific need exists. Should such a need exist though, a few simple precautions taken will be enough to protect even the average user.

I don't even agree with this. The only specific need that may still exist is with custom software that only runs on XP. And in that case, that software needs to be upgraded or replaced with something not designed for an 18 year old OS.

I can certainly understand the desire to keep perfectly capable hardware in service. Nobody likes to retire any hardware that is still running. As a hardware guys, I'm on their side on that one. So to that, I say fine. But instead of running XP, install Linux on it. Then you can still use it safely for just about anything you want, except modern gaming. And if that is your goal, the ancient hardware probably is not capable of keeping up anyway.

 

[lexluthermiester]

WIN 7 will still be supported for another two years, but you have to pay for it & it's not open to all end users.

While this is true, such support is unlikely to make it out into the wild.

 

[Yukikaze]

I can certainly understand the desire to keep perfectly capable hardware in service. Nobody likes to retire any hardware that is still running. As a hardware guys, I'm on their side on that one. So to that, I say fine. But instead of running XP, install Linux on it. Then you can still use it safely for just about anything you want, except modern gaming. And if that is your goal, the ancient hardware probably is not capable of keeping up anyway.

While I am firmly in the Update Your Shit camp (as my earlier post in this thread shows): This is not always true. Laboratory equipment may not be compatible with Linux software, or may not have driver support. There are examples of Microscopes, microscope cameras, various diagnostic equipment is still perfectly usable 20 years after it first launched, but it has no support on anything by WinXP, and replacing this equipment can be exceedingly expensive (we're talking tens of thousands of dollars per a single piece of equipment).

Linux will not be your savior in this case, unfortunately. In this case the only real solution is an air gap, or good security at your gateway/firewall, but knowing these environments, they often lack in the knowledge to implement the latter properly. The good old air gap plus a good stable backup (if you catch something fatal due to the use of USB sticks to transfer data off these systems) still works, however.

 

[lexluthermiester]

I don't even agree with this. The only specific need that may still exist is with custom software that only runs on XP.

That's fair, but I've actually tested this recently. When protected properly, XP is still safe to use even today. Sure it has risks, but not much more than what you might get with Windows 10. Bill, grab a spare machine and try it. I'll walk you through setting it up and you can see for yourself.

 

[biffzinker]

but you have to pay for it & it's not open to all end users.

Details of the promotion were originally discovered by Computerworld (via ZDNet) in Microsoft's support documentation. The document states that businesses that have an active Windows 10 E5, Microsoft 365 E5, or Microsoft 365 E5 Security subscription as of December 31, 2019 are automatically entitled to an additional year of security updates for Windows 7. The promotion is valid for any subscription that's active as of that date, and though the promotion technically started on June 1, it doesn't matter when the subscription started.

Businesses may be able to extend Windows 7 security updates for free for one year

As Windows 7 gets increasingly closer to its end-of-support date, Microsoft is running a promotion which lets businesses with E5 subscriptions get an additional year of security updates for free.

www.neowin.net

 

[R-T-B]

Is that implicit permission?

No. But I am fairly confident it's footprint is minimal. Still, intrusion attempts in the logs are not met with kindness.

 

[Bill_Bright]

This is not always true. Laboratory equipment may not be compatible with Linux software, or may not have driver support. There are examples of Microscopes, microscope cameras, various diagnostic equipment is still perfectly usable 20 years after it first launched, but it has no support on anything by WinXP, and replacing this equipment can be exceedingly expensive (we're talking tens of thousands of dollars per a single piece of equipment).

I agree but for one, it is not likely any of those devices are connected to the Internet - and exposure to the Internet and its security concerns is the issue here. And I note it is the hardware makers responsibility to ensure compatible W10 drivers are available, not Microsoft's. But of course, those HW makers have no financial incentive to keep all that legacy hardware compatible. They would much rather these labs and other institutions buy all new hardware. Exactly the same as Dell, HP, Lenovo, Epson, ASUS, Gigabyte, MSI and all the others want us to buy new computers, printers, motherboards and graphics cards too.

When protected properly, XP is still safe to use even today.

But what about tomorrow? As I said above, that's the problem and key point you keep ignoring or overlooking. A new zero-day exploit could surface tomorrow and because Microsoft is no longer supporting it, and because many security apps no longer support it, that vulnerability may remain exposed forever. Where with W10, we know MS and the security apps will very quickly address it. That's the big difference and that's the reason XP (and Vista, and soon W7) needs to go away - or at least be disconnected from any network that has Internet access.

I'll walk you through setting it up and you can see for yourself.

LOL

No. You don't have to walk me through anything. I know very well how to secure my networks and computers, and those I am responsible for.

It is not me or my systems I am worried about. It is the systems belonging to the millions and millions of fools, undisciplined, ill-informed, misled, and/or inexperienced XP users out there who put the rest of us at risk that I am worried about - and you should be too, especially as a technical advisor! That's my whole point here.

It is those systems that are likely to be compromised (unbeknownst to the user)! And it is those systems that are then likely to be used to distribute spam or malware, or drafted into bot armies as zombies in DDoS attacks against company, organization and government networks.

If XP users only put themselves at risk, this really would not be an issue at all (unless they are one my family, a friend, or a client). But XP users who connect to the Internet put the rest of us risk, and are threats (if not today, then possibly tomorrow) to the rest of us. That point must NOT be ignored. And IMO, it is up to us, as the experts, to educate and get the word out. Not to ignore it or to minimize the threat with less experienced readers/users.

 

[eidairaman1]

I don't think it's a good idea to go online while running XP anymore and the OS is 18 years old. For gods sake let it rest in peace and move on. I'm not sure if Win 7 is safe for going online or not. I've still got a backup rig with Win 7 on it and I go online sometimes but definitely not to any bad neighborhoods.

Any system can be infected, smart browsing is key, even parental controls enabled on a isp can help

 

[lexluthermiester]

No. You don't have to walk me through anything. I know very well how to secure my networks and computers, and those I am responsible for.

So you are saying you are unwilling to try it. Ok. If you aren't willing to give it a go, further discussion is moot. At this point we need to, once again, agree to disagree.

But XP users who connect to the Internet put the rest of us risk

Using this logic, none of us should ever connect to the internet as we're all a potential risk to each other. For that matter none of us should ever leave our home for the risk of car accidents and such. Such is a flawed logic and is not supported by merit. Again properly configured Windows XP systems are no more a risk than old versions of MacOS and are harmless.

 

[Bill_Bright]

So you are saying you are unwilling to try it

Gee whiz. Did you even read what I said? Apparently not. I know I can secure a XP system that's why I certainly don't need you to show me how. It is not about me (or you). We are not "normal" users. It is about less experienced or negligent users and their machines.

Using this logic, none of us should ever connect to the internet as we're all a potential risk to each other.

Once again, it is clear you didn't bother to read what was said. The logic is NOT the same. W10 is supported by both the OS maker and all current security program developers. So even if a brand new zero day exploit is discovered, chances are it will be fixed, patched or some how secured BEFORE the bad guys are able to write and distribute code to exploit it. But once again, you bury your head in the sand and refuse to see or acknowledge that fact and clear distinction with XP.

 

[John Naylor]

I don't have any XP boxes. That being said, until I see a documented story saying "I was using Windows XP (or 7 or anything) and ... " / "I didn't patch Spectre ..." / "I didn't yad yada yada ... and then this bad thing happened", it's not real. Until then it's just FUD.... there's more reality in roadside tent churches performing miracles healing the infirm. Something that has yet to ever happen, is not something I care to worry about. These lab concept demonstrations which require Ethan Hunt and the Mission Impossible team to gain access to the PC and perform a series of unlikely tasks are not going to be undertaken by your usual hacker.

I used to get at least 2 e-mails a month from an obviously compromised windows 10 box with a cc list 50 names long and containing a link to an obviously untrustworthy site. How do I know ? You mostly get emails from folks you know. Many of them i built ... those came with 30 day free trials of a quality 3rd party AV program which the user obviously decided it wasn't worth $6 a year.

As for putting other users at risk ... if what you are using is so danged impregnable, then what is there to be worried about ? In December of 2018, Win 10 finally passed Win 7 in installed users ... those two being most prevalent that's what the bad guys are targeting. With less than 3%, of what value is both the market share but also the quality value of targeting some poor ole soul who hasn't upgraded in a decade. What critical / valuable info is on those machines?

Windows 10 41.58%
Windows 7 37.31%
Windows 8.1 4.56%
Mac OS X 10.14 3.97%
Mac OS X 10.13 3.10%
Windows XP 2.99%
Linux 1.55%
Mac OS X 10.12 1.17%
Windows 8 0.83%
Mac OS X 10.11 0.75%

The logic that an XP user could be infected and the only reason YOU got infected was because of them is faux logic. If they got infected, it's out there; if you are practicing safe habits, and have adequate protection there should be no reason to worry.

This was being said when Win 10 first came out in July / August 2015 and the same folks were saying the built in AV was just fine....

In August 2015 Windows Defender scored a 3 / 6 on protection.... letting thru 12.8% of "0-day malware attacks, inclusive of web and e-mail threats" in August of 2015 and 442 instances "widespread and prevalent malware discovered in the last 4 weeks" in July .... That was real. Now today, with Defender finally approaching a consistent level or reliable performance, we can reasonably expect this will continue to diminish over time. Certainly the number of boxes coming in to be 'cleaned of viruses" is diminishing.

This subject reminds me of the day I was taking the kids to Chucky Cheese for a B'day party and we passed a van with flags and lettering claiming the end was near and we only had 13 days to repent.... on the way back we saw the same van parked on the service road in front of a house with sheets on the roof with similar messages. Two weeks later, the kids came in and said "Hey dad, can we go back to that house ... I wanna see what the signs say now". So we did, and there were new signs with a new date. Every time we went past, it became a ritual to 'see what the new bed sheets said" ... this went on for about 12 years till I guess they moved out.

Started building Windows PCs in early 90s. In 25+ years, we have never performed an OS upgrade on a PC. Simple reason was "downgrade" was the more appropriate term. An OS upgrade required more OS resources cutting application performance. New boxes received the current NT based OS at the time and later the Pro versions. Each generation we always tested the new and old on same hardware and the older OS was always faster .... ME, Vista and Win 8 we never put any boxes using those OS's into active usage. Win 10 was close to Win 7 ... 10 did better in some things, 7 in others. Win95 was 40% slower than W4WGs and NT4.

Finally ya just have to wonder how much of this FUD comes from MS themselves ? As always, have to ask "who benefits ? "

 

[Vayra86]

I think this is a silly debate.

It is a simple fact that XP has unpatched vulnerabilities. It is reasonable to assume W7 does too - or that newly discovered vulnerabilities will be discovered in the future.

I would like to stretch your reply a bit further if I may, playing devils advocate. Isn't the above also true for W10? The only saving grace you have is that its supported and might be fixed. Might be - because its not like everything happens tomorrow.

Not a comforting thought, but a reality nonetheless. The illusion here is that of a perfect security, I think. We've seen recently that even our CPUs having unpatched vulnerabilities. Been running that for decades. You say zero day and 'it will be fixed' as if those things always happen in perfect harmony and order, but they really do not. Many applications harbor zero days on purpose for a while to get exploited. There is a whole economy going dealing in just that.

Which brings me to my personal stance on security.

Security is about mitigation. Not about a perfect airtight defense. Not using XP, does that truly mitigate things? For this, you would have to know what criminals would be targeting more, and I would dare say that today, a far more appealing target is W10; simply by market share. Then again, not all threats are OS specific. But say you need money. What would be a more appealing target, a W10 user with likely a newer rig (=money to buy one) or a dusty old sock using XP?

The question remains how much more you really mitigate by using W10 over, say, XP or Win7 after 2020, especially when you've done the bare necessities to secure an online rig.

This is not the same question btw as "Should you use XP". That is more than a security question, I think.

I don't have any XP boxes. That being said, until I see a documented story saying "I was using Windows XP (or 7 or anything) and ... " / "I didn't patch Spectre ..." / "I didn't yad yada yada ... and then this bad thing happened", it's not real. Until then it's just FUD.... there's more reality in roadside tent churches performing miracles healing the infirm. Something that has yet to ever happen, is not something I care to worry about. These lab concept demonstrations which require Ethan Hunt and the Mission Impossible team to gain access to the PC and perform a series of unlikely tasks are not going to be undertaken by your usual hacker.

I used to get at least 2 e-mails a month from an obviously compromised windows 10 box with a cc list 50 names long and containing a link to an obviously untrustworthy site. How do I know ? You mostly get emails from folks you know. Many of them i built ... those came with 30 day free trials of a quality 3rd party AV program which the user obviously decided it wasn't worth $6 a year.

As for putting other users at risk ... if what you are using is so danged impregnable, then what is there to be worried about ? In December of 2018, Win 10 finally passed Win 7 in installed users ... those two being most prevalent that's what the bad guys are targeting. With less than 3%, of what value is both the market share but also the quality value of targeting some poor ole soul who hasn't upgraded in a decade. What critical / valuable info is on those machines?

Windows 10 41.58%
Windows 7 37.31%
Windows 8.1 4.56%
Mac OS X 10.14 3.97%
Mac OS X 10.13 3.10%
Windows XP 2.99%
Linux 1.55%
Mac OS X 10.12 1.17%
Windows 8 0.83%
Mac OS X 10.11 0.75%

The logic that an XP user could be infected and the only reason YOU got infected was because of them is faux logic. If they got infected, it's out there; if you are practicing safe habits, and have adequate protection there should be no reason to worry.

This was being said when Win 10 first came out in July / August 2015 and the same folks were saying the built in AV was just fine....

In August 2015 Windows Defender scored a 3 / 6 on protection.... letting thru 12.8% of "0-day malware attacks, inclusive of web and e-mail threats" in August of 2015 and 442 instances "widespread and prevalent malware discovered in the last 4 weeks" in July .... That was real. Now today, with Defender finally approaching a consistent level or reliable performance, we can reasonably expect this will continue to diminish over time. Certainly the number of boxes coming in to be 'cleaned of viruses" is diminishing.

This subject reminds me of the day I was taking the kids to Chucky Cheese for a B'day party and we passed a van with flags and lettering claiming the end was near and we only had 13 days to repent.... on the way back we saw the same van parked on the service road in front of a house with sheets on the roof with similar messages. Two weeks later, the kids came in and said "Hey dad, can we go back to that house ... I wanna see what the signs say now". So we did, and there were new signs with a new date. Every time we went past, it became a ritual to 'see what the new bed sheets said" ... this went on for about 12 years till I guess they moved out.

Started building Windows PCs in early 90s. In 25+ years, we have never performed an OS upgrade on a PC. Simple reason was "downgrade" was the more appropriate term. An OS upgrade required more OS resources cutting application performance. New boxes received the current NT based OS at the time and later the Pro versions. Each generation we always tested the new and old on same hardware and the older OS was always faster .... ME, Vista and Win 8 we never put any boxes using those OS's into active usage. Win 10 was close to Win 7 ... 10 did better in some things, 7 in others. Win95 was 40% slower than W4WGs and NT4.

Finally ya just have to wonder how much of this FUD comes from MS themselves ? As always, have to ask "who benefits ? "

You're right it won't be an individual hacker, but what you will see is actual applications being built and sold as 'ready to deploy' for large scale attacks. For example the Ransomware packages. This rabbit hole goes pretty deep. The question really is how much have you got to lose and how much mitigation would you like to use. But to think its not real until it happened... that is a recipe for always being caught by surprise. I mean even Spectre, all you need is place a bit of code on a system to get to work collecting data. That is not unheard of, especially when its combined with an unpatched system.

Mitigation = layers of security. Its always good to have as many layers 'intact' as possible, so that also sort of answers the XP question: the OS is one of those layers you can get better versions of that are not quite as leaky. And in the very same way, its good to have those mitigations for Spectre installed, unlikely as a breach may be.

 

[TheoneandonlyMrK]

I would like to stretch your reply a bit further if I may, playing devils advocate. Isn't the above also true for W10? The only saving grace you have is that its supported and might be fixed. Might be - because its not like everything happens tomorrow.

Not a comforting thought, but a reality nonetheless. The illusion here is that of a perfect security, I think. We've seen recently that even our CPUs having unpatched vulnerabilities. Been running that for decades. You say zero day and 'it will be fixed' as if those things always happen in perfect harmony and order, but they really do not. Many applications harbor zero days on purpose for a while to get exploited. There is a whole economy going dealing in just that.

Which brings me to my personal stance on security.

Security is about mitigation. Not about a perfect airtight defense. Not using XP, does that truly mitigate things? For this, you would have to know what criminals would be targeting more, and I would dare say that today, a far more appealing target is W10; simply by market share. Then again, not all threats are OS specific. But say you need money. What would be a more appealing target, a W10 user with likely a newer rig (=money to buy one) or a dusty old sock using XP?

The question remains how much more you really mitigate by using W10 over, say, XP or Win7 after 2020, especially when you've done the bare necessities to secure an online rig.

This is not the same question btw as "Should you use XP". That is more than a security question, I think.

Im of the present opinion security is an illusion created by marketing and management to keep turning a dime.
While others earn by the direct compromise of this illusion of security.

In life I see too many people willing to let stuff slip for a deadline or target or to have mearly an easier life.
I can't stand that mentality personally im apparently observations man though (blue a sickly colour to a man U fan) but i definitely envision half assed shit going on everywhere.
Not good for security.

 

[Vayra86]

Im of the present opinion security is an illusion created by marketing and management to keep turning a dime.
While others earn by the direct compromise of this illusion of security.

In life I see too many people willing to let stuff slip for a deadline or target or to have mearly an easier life.
I can't stand that mentality personally im apparently observations man though (blue a sickly colour to a man U fan) but i definitely envision half assed shit going on everywhere.
Not good for security.

Haha, well we all know that most of the security problems involve PEBCAK. Which also brings us to keeping XP over a more secure OS when the option is there

Still I like how some believe it to be a capital sin, I think that's a bit much, especially if you're conscious about your usage. The question remains how an individual would know he knows enough though

 

[TheoneandonlyMrK]

Haha, well we all know that most of the security problems involve PEBCAK. Which also brings us to keeping XP over a more secure OS when the option is there

Maybe, but someone hire's and pay's said people.

In The old days someone , normally The Boss, walked round , checked what people were doing and gave them shtick if it wasn't their job.
In this modern era of f@@# experience we want the most enthusiastic and pre desposed to nod person as Boss and underling they typically do not do this.

So the quality of output slip's.

 

[eidairaman1]

Software is vulnerable no matter what so might as well cut the ethernet cord or break your wifi adapters, modems, phones

 

[moproblems99]

Software is vulnerable no matter what so might as well cut the ethernet cord or break your wifi adapters, modems, phones

The difference is whether you need to be state funded or a script kiddie to exploit the flaws.

Simply saying cut the cord because everything is vulnerable is the same as saying don't use any protection because everything is vulnerable.

All of this still falls into the common sense realm. If you do dumb things, you are going to pay for them. If you take decent precautions, you are likely going to be ok.

Security 101.

 

[TheoneandonlyMrK]

Software is vulnerable no matter what so might as well cut the ethernet cord or break your wifi adapters, modems, phones

Absolutely if security is everything, I still use most gadgets etc though bro, because at the end of the day we mere people have processing needs, so we have to risk it.
You should do all that's reasonable, especially backup's and clever password systems or tricks, latest software is a minimum for me these days yet in the past this didn't concern me much.

And just crack on , I would only use Xp in a virtual or isolated condition personally though.

 

[eidairaman1]

The difference is whether you need to be state funded or a script kiddie to exploit the flaws.

Simply saying cut the cord because everything is vulnerable is the same as saying don't use any protection because everything is vulnerable.

All of this still falls into the common sense realm. If you do dumb things, you are going to pay for them. If you take decent precautions, you are likely going to be ok.

Security 101.

Absolutely if security is everything, I still use most gadgets etc though bro, because at the end of the day we mere people have processing needs, so we have to risk it.
You should do all that's reasonable, especially backup's and clever password systems or tricks, latest software is a minimum for me these days yet in the past this didn't concern me much.

And just crack on , I would only use Xp in a virtual or isolated condition personally though.

I was being sarcastic with my statement.

To be frank I am tired of Microsoft's bullcrap, forced updates that break the operating system and also change the GUI in 2015-now, from what it was in 95 all the way to Windows 7 was perfect, it made no sense to change it 4 years ago.

I'd only run XP stripped out of all Telemetry and hardened on a Athlon XP system unless if I can find a nf2 gart driver for Windows 7 32.

I believe at this point I see a hybrid Linux operating system being my next move. I refuse to run Windows 10, my school notebook has it and it sucks.

 

[R-T-B]

Software is vulnerable no matter what so might as well cut the ethernet cord or break your wifi adapters, modems, phones

Really bad philosophy here. Just because exploits are unavoidable does not make ignorning them desirable.

 

[Grog6]

I just put all the old computers on a separate network, and have one PC with two ethernet ports, one for each network, for loading files or drivers to the other computers.

I have Win95 computers running still.

As long as you don't bridge the ports, they're not exposed to the internet.

Also, I run NoScript and UBlock, along with ESET AV, so malware has a rough time getting started.

 

[lexluthermiester]

Finally ya just have to wonder how much of this FUD comes from MS themselves ?

A fair amount of it. Little more than fear-mongering.

would like to stretch your reply a bit further if I may, playing devils advocate. Isn't the above also true for W10? The only saving grace you have is that its supported and might be fixed. Might be - because its not like everything happens tomorrow.

Not a comforting thought, but a reality nonetheless. The illusion here is that of a perfect security, I think. We've seen recently that even our CPUs having unpatched vulnerabilities. Been running that for decades. You say zero day and 'it will be fixed' as if those things always happen in perfect harmony and order, but they really do not. Many applications harbor zero days on purpose for a while to get exploited. There is a whole economy going dealing in just that.

Which brings me to my personal stance on security.

Security is about mitigation. Not about a perfect airtight defense. Not using XP, does that truly mitigate things? For this, you would have to know what criminals would be targeting more, and I would dare say that today, a far more appealing target is W10; simply by market share. Then again, not all threats are OS specific. But say you need money. What would be a more appealing target, a W10 user with likely a newer rig (=money to buy one) or a dusty old sock using XP?

The question remains how much more you really mitigate by using W10 over, say, XP or Win7 after 2020, especially when you've done the bare necessities to secure an online rig.

This is not the same question btw as "Should you use XP". That is more than a security question, I think.

That was very well stated. Can not disagree on any one point.

Really bad philosophy here. Just because exploits are unavoidable does not make ignoring them desirable.

Again, what are we all going to do, not get on the internet? And never was it suggested that they be ignored. I suggested that they be preempted by properly configuring the OS and using a good firewall and antimalware. There are plenty of them out there that still work very well. Hell, such is what I regularly research for Windows 10. It is an ongoing process.

 

[moproblems99]

Again, what are we all going to do, not get on the internet? And never was it suggested that they be ignored. I suggested that they be preempted by properly configuring the OS and using a good firewall and antimalware. There are plenty of them out there that still work very well. Hell, such advice I what I regularly research for Windows 10. It is an ongoing process.

Clearly you were not who he was quoting, right?

 

[lexluthermiester]

Clearly you were not who he was quoting, right?

Clearly you understand how forum discussions work... (Hint, you don't have to be the one quoted to respond to a comment. That's why it's called a "forum". It is a venue of public discussion.)

 

[Bill_Bright]

I don't have any XP boxes. That being said, until I see a documented story saying "I was using Windows XP (or 7 or anything) and ... " / "I didn't patch Spectre ..." / "I didn't yad yada yada ... and then this bad thing happened", it's not real. Until then it's just FUD

So are you really suggesting anyone who's system becomes compromised will automatically know their system has been compromised? Does that really make sense to you? Is all malware so poorly written that once installed, it will immediately result in "bad things happening" to that machine such that every infected user will immediately know they are infected?

Sorry, but that is more nonsense. There is a lot of malware that is designed to be very stealthy and NOT disrupt operations of the compromised system. Some are designed, for example, to send out small, undetectable bursts of 10 or 12 small spam messages, or "socially engineered" malware laded messages to other users. Or the malware may make a couple dozen quick log-in attempts on a targeted site as part of a DDoS attack, go dormant for awhile then send a dozen more. Tasks that last just a few seconds. Malware that does NOT corrupt the infected system. There is a lot of malware designed to sit dormant and undetected until triggered by some event months or even years down the road.

And it is not whether the user applies available patches or not. Its the fact MS is no longer developing patches for XP to apply! That's not FUD, that's fact!

It is the fact "white-hat" security firms are actively working for and with Microsoft, or independently to seek out and report vulnerabilities in W10 before the bad guys can find them. That's not FUD. That's fact.

Popular anti-malware programs may still send out signature/definition updates, but many no longer provide program updates or even bug fixes and other support for XP. AVG is a perfect case in point. And of course, Avast (as the parent company to AVG), has the same policy.

McAfee provides "only 'best effort' support on XP" and the "current McAfee Windows security products do not support Windows XP."
Kaspersky system requirements - no mention of XP or Vista.

Again, not FUD, but fact.

I would like to stretch your reply a bit further if I may, playing devils advocate. Isn't the above also true for W10? The only saving grace you have is that its supported and might be fixed. Might be - because its not like everything happens tomorrow.

Only? And might be? The fact it is still supported (by both MS and the anti-malware industry) is the critical difference. You can't marginalize this by suggesting that fact is insignificant or nearly insignificant.

The facts you and Lex keep ignoring is that any newly discovered vulnerability in W10 will be addressed. Microsoft will either correct the bug, patch the flaw and/or the anti-malware industry will protect the vulnerability from exploitation. That is a HUGE distinction between the supported Windows 10 and the unsupported XP.

I don't doubt that any of the regulars on this site are capable of securing XP for their own protection. As I said above, that is not my worry. My worry is the message, we as advisers, send to the other 99% of the users out there when we suggest the security threat with XP Is just FUD. Its not FUD, its fact. And the fact remains, infected XP systems are not likely to be patched, thus they will become and remain threats to the rest of us, and targeted organizations.

Do you really think it wise of you (speaking to those condoning and even promoting the continued use of XP) to dismiss these facts when giving advise to your friends and family workers who don't have your levels of expertise or discipline and whose computers are not under your direct control? Do you really think it wise to give such advice in forums like this where you don't truly know the level of expertise of all the posters and potential readers?

Not only do I think it unwise, I say it is irresponsible. XP holdouts need to be told to upgrade, or switch to Linux. Simple as that. It is not like they didn't have plenty of advanced notice.

Retiring superseded and obsolete protects - especially consumer electronics - before it dies is just a fact of life. We did it with 8-Tracks, cassettes, CRT TVs and monitors, analog TVs, wireless phones and cell phone and more. The difference here is keeping old 8-Track players and CRT monitors in use did not present a security threat to us or others.